CHINESE-owned online megastore Temu has gripped consumers with its winning slogan of shopping ‘like a billionaire on a budget’.
It is the global facing branch of retail giant Pinduoduo, which created Temu to thrive outside of China and has an estimated 750million customers each month.
The Sun recently revealed the true cost of shopping with Temu amid fears of spying and Beijing’s influence.
But security experts and lawmakers alike have turned their attention to Temu’s sister app Pinduoduo (PDD), which they fear could be even more sinister.
“Downloading and using Temu could pose a potential privacy risk to customers, although this risk is not, at the present time, as severe as the one Pinduoduo poses,” Ian Reynolds of cybersecurity company SecureTeam, told The Sun.
Temu requests a whopping 24 permissions, which includes Bluetooth access and Wi-Fi information, that Reynolds fears could leave consumers vulnerable to cyber attacks
Pinduoduo, however, is far more invasive, according to experts – particularly for Android users.
Other popular ecommerce sites like Amazon, eBay and Etsy can also collect and share customer data, but their practices aren’t as “extensive” as Pinduoduo’s, Marijus Briedis, chief technology officer at NordVPN, also commented.
Advanced malware
Google suspended Pinduoduo from its Play Store in March after discovering malware in some versions of the retail platform from other sources.
Senior mobile security researcher at app security company Promon, Simon Lardinois explained that the Pinduoduo application available on the Chinese app store is actually advanced malware that abuses a number of security vulnerabilities in Android devices.
“The vulnerabilities abused allows Pinduoduo to extract information about users, to install itself stealthily from web links, to prevent users from uninstalling it and much more,” he said.
“This makes the app much more dangerous than a regular Android malware, not only due to the sensitivity of the information it can extract (WeChat messages, notification history and much more), but also due to its ability to install itself without the user’s knowledge.”
Normal apps should never be able to do this – or at least not to this extent, Lardinois said.
But Pinduoduo works “very differently” to most apps, he continued.
“It will abuse a number of security vulnerabilities on the device to be able to do things it normally shouldn’t be able to,” Lardinois explained.
“It is able to gain higher privileges than a regular app, allowing it to grant itself permissions, access parts of the system that applications do not have access to, or even the data of the other applications, which is normally not possible.”
The malware allegedly found in Pinduoduo can bypass previously unknown vulnerabilities in the devices’ software.
Cybersecurity researchers have suggested this was Pinduoduo ‘plan’ to gain access to data from rival shopping apps.
Google Play Store
The Pinduoduo application has been removed from the Google Play Store.
But the app’s ability to secretly download itself onto devices poses a threat to all smartphone users – not just those in China, say experts.
“People in the UK are unlikely to willingly download the malware version of the application since it is only available from the Chinese App Store,” Lardinois noted.
“They are much more likely to download the version available on the Google Play Store, which does not exhibit malicious behaviour.
“However, it is possible for those people to get ‘infected’ by the malware version.
“Some of the vulnerabilities exploited by the malware version of PDD allows it to install itself on a device from a simple web link opened in the browser or from third party messaging apps.
“If this were to occur, they would essentially face the same risks as the people in China, i.e. a lot of their information will be extracted, and they would have trouble uninstalling the application.”
While it’s unlikely Brits would willingly download the app, those visiting China may accidentally install the infected version of Pinduoduo, David Emm, Principal Security Researcher at Kaspersky, hypothesised.
“One of the tricks malware writers use is to create a perfectly normal app which has the ability to update itself with additional functionality, some of which being potentially malicious,” added Emm.
“Because of that, we would always recommend users to download apps from authorised developer and from legitimate sources.”
Fans of sideloading – the practice of downloading apps on Android from unofficial app stores – must also be extra careful, Secure List’s Reynolds noted.
“Downloading Pinduoduo from an unofficial app store would be exceptionally dangerous, as it was from these sources that malware was originally detected,” he said, adding that Android owners should simply avoid sideloading altogether.
Android owners should check their phone for the app and delete it “immediately as a precaution,” added Reynolds, as well as keep an eye out for any signs of malware on their device.
Pinduoduo and Temu could not be reached for comment.
Best Phone and Gadget tips and hacks
Looking for tips and hacks for your phone? Want to find those secret features within social media apps? We have you covered…
Get all the latest WhatsApp, Instagram, Facebook and other tech gadget stories here.
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at tech@the-sun.co.uk